topic Re: Does Cortex XDR run the Malware scan if the USB device is inserted into the endpoint? in Cortex XDR Discussions

Does Cortex XDR run the Malware scan if the USB device is inserted into the endpoint?

RahulPrajapati — Fri, 26 Aug 2022 08:27:18 GMT

Hi everyone,

Does Cortex XDR run the malware scan on the USB device immediately when it is inserted into the endpoint?

Re: Does Cortex XDR run the Malware scan if the USB device is inserted into the endpoint?

creddy — Fri, 26 Aug 2022 09:01:46 GMT

Currently XDR doesn't have a feature to run the malware scan on the media / USB devices immediately when inserted into the endpoint.
You may check with your support account team to see if there are any possibilities of getting it in future versions as part of product developments.
Thank you!

Re: Does Cortex XDR run the Malware scan if the USB device is inserted into the endpoint?

RahulPrajapati — Fri, 26 Aug 2022 09:14:50 GMT

Hi @creddy ,

Thanks for the response!

Is there any way by which we can know from the XDR console; when the user is inserting the USB devices on their endpoints?

Re: Does Cortex XDR run the Malware scan if the USB device is inserted into the endpoint?

creddy — Fri, 26 Aug 2022 09:37:35 GMT

Hi @RahulPrajapati ,
Using device control you can manage devices connecting to endpoint. Refer link below for more details.
https://docs.paloaltonetworks.com/cortex/cortex-xdr/cortex-xdr-pro-admin/endpoint-security/hardened-endpoint-security/device-control

After you apply Device Control rules in your environment, use the Endpoints -> Device Control Violations page to monitor all instances where end users attempted to connect restricted USB-connected devices and Cortex XDR blocked them on the endpoint. All violation logs are displayed on the page. You can sort the results, and use the filters menu to narrow down the results. For each violation event Cortex XDR logs the event details, the platform, and the device details that are available.

Please mark this solution if it answered your queries on this post.
Thank you!

Re: Does Cortex XDR run the Malware scan if the USB device is inserted into the endpoint?

maksymilianjan — Fri, 26 Aug 2022 09:40:34 GMT

Hello,

Just to add some tips into this, there is a way to create querys/alerts even on this kind of events.

For example check the following link:

https://www.sciencedirect.com/topics/computer-science/window-registry#:~:text=Windows%20registry%20stores%20information%20about,been%20plugged%20into%20the%20system.

I have used similar techniques to this in investigations but its rather on your side and more of a "windows internals" thing.

Max

Re: Does Cortex XDR run the Malware scan if the USB device is inserted into the endpoint?

RahulPrajapati — Fri, 26 Aug 2022 09:52:02 GMT

Hi @maksymilianjan ,

Thanks! Can you please share the query to create this alert?

Re: Does Cortex XDR run the Malware scan if the USB device is inserted into the endpoint?

neelrohit — Fri, 26 Aug 2022 18:11:20 GMT

Hi @RahulPrajapati , @creddy and @maksymilianjan ,

As we know that Cortex XDR is an execution based detection and prevention solution, it has the capability to detect malwares if they execute even from removable media on the endpoint. As a result on connection scan is something that is not a hard requirement for detection of malwares. Practice recommendation in these used cases can be that you use restriction profiles to restrict execution of executables and other files from the removable media and if the user intends to execute some files present on the media, it should be copied to a folder on the endpoint locally for execution. Assuming, that the user does not execute the file instantaneously and if it stays on the system, periodic scan should be able to determine the verdict for the same.

Additionally, the Cortex XDR agent does not perform USB scan on connection, however, it has the capability to scan removable media as part of the periodic malware scan if required. You can enable this in the malware profiles, under category Endpoint Scanning> Periodic Scan -> Enabled and under then you should have the option to Scan Removable Media Drives->Enabled.

Screenshot below for reference

Re: Does Cortex XDR run the Malware scan if the USB device is inserted into the endpoint?

EdwardDiaz — Mon, 10 Jul 2023 17:04:02 GMT

Do you happen to know if the "Scan Removable Drives" would include mapped network drives? We have hundreds of endpoints, and the last thing we need is all of them scanning the same shared network drive.

Re: Does Cortex XDR run the Malware scan if the USB device is inserted into the endpoint?

neelrohit — Tue, 11 Jul 2023 06:24:31 GMT

Hi @EdwardDiaz ,

Mapped network drives are not scanned as part of the malware scan by the endpoints. Instead, if initiated on the endpoint which hosts the network drive, the network drive being considered a part of a persistent drive for a specific endpoint/server, will be scanned as a drive path.

Hope this helps!

Re: Does Cortex XDR run the Malware scan if the USB device is inserted into the endpoint?

neelrohit — Thu, 13 Jul 2023 04:52:19 GMT

Hi @RahulPrajapati ,

To add on @creddy 's response, you can choose to create XQL queries for looking into file write events on removable media using XQL queries which essentially would give the same result. If you have identity analytics module active. Uncommon USB connection activities are anyways automatically tracked and generate alerts for you.

Hope this helps